Frequently Asked Questions:

Service Organization Benefits

An unqualified (i.e. "clean") opinion from a SAS 70 service auditor’s report demonstrates that a service organization has effective controls that are in place. A Type I SAS 70 report would issue an unqualified opinion for a stated point in time (i.e., as of June 1, 2005), while a Type II report would also issue an unqualified opinion over a stated time period (i.e., for the period June 1, 2007 to November 30, 2007). An additional benefit to service organizations is the ability to leverage SAS 70 compliance into a market differentiator against existing competitors who are vying for outsourcing contracts from user organizations. Becoming SAS 70 compliant also greatly decreases business interruption incidents by effectively removing the possibility of sporadic audits throughout the year for the sole purpose of satisfying requirements set forth by user organizations. Important facts should be taken into consideration before undergoing this specialized audit, along with understanding the history and overview of SAS 70. Another recommendation is to download a sample SAS 70 and review its contents and description of items for each section.

User Organization Benefits

Ultimately, user organizations are able to gain a greater understanding and assurance of the internal controls in place at service organizations. SAS 70 compliance signifies that service organizations have taken proactive steps in developing and implementing numerous controls throughout the identified platform or business process being used to process transactions for user organizations. Furthermore, Type I and Type II reports assist the external auditors of user organizations by cutting down on the time and costs of having to inquire on controls at service organizations. In short, if an audit was not conducted on the service organization, then user auditors would have to spend additional time and manpower in making specialized audit inquiries into the entity conducting the outsourcing service for the user organization. Proper communication between all parties, such as having a SAS 70 roadmap for compliance, will help mitigate issues that could potentially lead to unexpected or unforeseen additional cost and time expenditures.